# Cyborg ![](/files/-MbrFEAiibuk1qpIgrX_) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.4.121 ``` ![](/files/-MbrFYxN8fW5-0G_3Tow) We have two ports: 22 which is running ssh and 80 which is running http ![](/files/-MbrFiLT9pU99IaTIf-a) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.4.121 ``` ![](/files/-MbrFmAFoHDFcTYOrfGr) ## Enumeration Lets visit the webserver ![](/files/-MbrFzFurL32aoCOnEdC) Its a default Apache2 page, lets run gobuster to find hidden directories and files. ![](/files/-MbrGVvYXAFtGo5UUJPl) There is an admin directory, lets go check it out ![](/files/-MbrGbthNzg2RxjoykyM) Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information ![](/files/-MbrGp56YfiknVBuNCe_) Looks like there is a backup called `music_archive`. We also get another hit on `gobuster` ![](/files/-MbrHFrqpDPXAyc2zeGH) `/etc/` directory , this might be config files that Alex was talking about, lets go visit it. ![](/files/-MbrHWPypgkOzpYrzCqv) Clicking on the folder we see some interesting files ![](/files/-MbrHboPgfVX1znMFjDo) We have a `squid.conf` file and a passwd file. Lets download these to our machine. ``` wget http://10.10.4.121/etc/squid/ ``` ![](/files/-MbrINZbdFgmBcqisnBk) Lets check these files out ![](/files/-MbrIpo5p0aQ6YH1UpI0) Looks like a hash, lets crack this using `john the ripper` ![](/files/-MbrIwKi-1riKRJ3IOKl) We found a `password: squidward`. Lets look at the other file ![](/files/-MbrJBa48An_kULdSkce) Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here. ![](/files/-MbrJ_OJPSAj_BueBlcJ) Lets download this. ![](/files/-MbrJdqL-3rgB20aFiGs) The archive is a `tar` file, lets click ok after selecting save file. Now lets check its contents. ``` tar -xvf archive.tar ``` ![](/files/-MbrKbE_npB5rPuPh_am) We found these files, I went through many of them and many did not make sense except this one. ![](/files/-MbrLGKzCd0RyhSeET6G) Looking at this information I went to google and searched on this topic and found this [page](https://borgbackup.readthedocs.io/en/stable/usage/extract.html), which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was `GitHub`. ![](/files/-MbrM0mvHm_wogLLikRk) Next I went here as it said that it had recent releases. ![](/files/-MbrMOjhf4w6UK2KHMyq) I downloaded the Linux file. ![](/files/-MbrN2A7pwrdAvftAlSE) ![](/files/-MbrNK-iMUmq6k3UNQh3) Lets list the files , I tried using it when I got this message ``` borg list home/field/dev/final_archive ``` ![](/files/-MbrNkAHzlF4bbtTf2sv) And so I downloaded the tool, now lets list the files ``` borg list home/field/dev/final_archive ``` ![](/files/-MbrNp_8if_IqT7wkNxD) Earlier in our enumeration we found a `password: squidward`, lets use that. ``` borg list home/field/dev/final_archive ``` ![](/files/-MbrNzg7yQ1MnrTG4oBA) And it worked, we have an archive file called `music_archive` , now lets extract this file too. ``` borg extract home/field/dev/final_archive/::music_archive ``` Its asks for a password, and I just used the before and it worked. ![](/files/-MbrP5mk38AIFZMRYIGA) We extracted a folder called `alex`. Navigating through it, I found this file ![](/files/-MbrPetSjsc5jXz8-Bav) It has nothing interesting, I also found this file ![](/files/-MbrPnaSEo5KGWeLkno_) It has a username and password. Lets try to login with these credentials through ssh. ``` ssh alex@10.10.4.121 ``` ![](/files/-MbrT41oO1TEt5AOGr3q) We are logged in. We can also cat the `user.txt` file ![](/files/-MbrTOCjkZS7dSH2lA9b) ## Privilege Escalation Lets run `sudo -l` to see what we can run as root. ![](/files/-MbrTZHTUEiDgm43A_8g) Looks like we can run this file, lets see what it does. ![](/files/-MbrTlC3norG7ZQVZWNP) Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the [article ](https://sookocheff.com/post/bash/parsing-bash-script-arguments-with-shopts/)that after googling. So for a summary, passing the `bash script -c` arguments , `getopts` will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command. ``` sudo /etc/mp3backups/backup.sh -c bash ``` ![](/files/-MbrVVC5EInSpj-xF6ij) We are now root, but none of the commands worked. ![](/files/-MbrVczx09M01ecF1kx5) What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands. ``` chmod 4577 /bin/bash exit bash -p cd /root cat root.txt ``` Using these commands we can read the root flag. ![](/files/-MbrWKTzYypmhj_63h3f) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/cyborg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.